Re: [sysapps/runtime] cross origin XHR in packaged apps from Jonas Sicking on 2013-04-10 (public-sysapps@w3.org from April 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 10 Apr 2013 15:47:43 +0200
To: Janusz Majnert <jmajnert@gmail.com>
Cc: Robin Berjon <robin@w3.org>, Janusz Majnert <j.majnert@samsung.com>, "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <CA+c2ei-8ya9G8kP95YaGqwLikX-_dxxC2K1hgzWODbw-z-VbBg@mail.gmail.com>

On Wed, Apr 10, 2013 at 9:08 AM, Janusz Majnert <jmajnert@gmail.com> wrote:
> 2013/4/10 Jonas Sicking <jonas@sicking.cc>:
>> On Mon, Apr 8, 2013 at 10:11 PM, Janusz Majnert <jmajnert@gmail.com> wrote:
>>> Hi Robin,
>>>
>>>>> I think we have a perfectly good solution now: CSP + CORS. The problem,
>>>>> as Ming Jin stated in the first message, is that most servers are not
>>>>> yet CORS enabled, and even if they are, they will not recognise the
>>>>> "app://" origins of packaged apps. To make matters worse, we still don't
>>>>> know how the origin will be constructed, will it identify the application.
>>>>
>>>>
>>>> I'm sorry, but I'm not sure I understand the limitations that you're seeing
>>>> here.
>>>>
>>>> In my experience, CORS-enabling a server, at least for the simple cases that
>>>> don't require a preflight, is actually fairly simple. Doubly so if you
>>>> consider that in most cases you want to access an API of some form, which
>>>> means that the required headers are under programmatic control and therefore
>>>> relatively easily changed. Sure enough, CORS-exposing static files on a
>>>> shared server, or coding up preflight checks, can be hard, but I think those
>>>> are closer to corner cases.
>>>>
>>>> As for recognising app: origins I'm not sure what the problem is. We can
>>>> make the app: authority predictable for a given application if we need to.
>>>> Beyond that, I don't see what's special about app: that would be a problem
>>>> to servers.
>>>
>>> We are talking about packaged apps that want to use someone else's
>>> APIs.
>>
>> Actually, I was mostly talking about a developer wanting to develop a
>> packaged app that wants to use the developers *own* APIs. I.e. a
>> developer writing a packaged app, as well as a server which provides
>> various APIs that the packaged app is intended to use.
>
> So if the developer controls both the packaged app and the server side
> APIs, they can surely get it to work without any origin faking, right?

Absolutely. This is just about making it dramatically easier to do so.

/ Jonas

Received on Wednesday, 10 April 2013 13:48:44 UTC